CFE-Investigation Certified Fraud Examiner (CFE) - Investigation Question and Answers

Nonpublic records include banking, tax, credit, phone, credit card, and health care records.

Business entity organisational filings (corporate constitutions, articles of incorporation) are generally public records and can be obtained from the government.

Therefore, reviewing a company’s business filings does not require access to nonpublic records.

The Fraud Examiners Manual lists required steps before seizing evidence:

Obtain legal authority.

Review privacy issues.

Ensure software/hardware are validated.

Document surroundings, inspect for traps, image drives, etc.

There is no requirement to assemble a team exclusively of outside experts.

Before seizing evidence in a digital forensic investigation, the 2014 International Fraud Examiners Manual outlines several critical steps:

Obtain legal authority / review orders:

“Before obtaining evidence, ensure that there is legal authority to seize evidence and review the data associated with the evidence. This might require obtaining a warrant in a criminal matter or ensuring that internal policies authorise seizure for an internal investigation.”

Determine privacy issues:

“Before the fraud examiner can seize evidence, he must take certain steps to help ensure that the evidence will be admissible: He must determine whether there are any privacy interests in the item(s) to be searched… In every case where it becomes necessary to seize a computer or other device capable of storing digital evidence, the investigator should consult with legal counsel.”

Use only trained professionals/software:

“It is important to allow a trained examiner to conduct a proper seizure and examination of digital evidence to help ensure that the information can be used in a legal proceeding.”

✅ These are all valid required steps.

In contrast, the idea that the team must be composed only of outside digital forensic experts is NOT a required step. The Manual stresses flexibility in team composition:

“Some organisations have their own in-house personnel… while others might prefer the use of an outside examiner. Sometimes retrieving digital data is as easy as searching the target computer’s hard drive, but other times retrieval requires a thorough knowledge of computers.”

Thus, requiring only outside experts is not a standard step, since investigations may use internal, external, or a mix of specialists depending on the situation.

The Fraud Examiners Manual states:

“Records obtained from financial institutions are perhaps the single most important financial source available to a fraud examiner for tracing purposes”.

These records reveal deposits, withdrawals, transfers, and are essential in asset tracing.

“The interviewer generally should indicate his name and company, but he should avoid stating his title. In general, the more informal the interview, the more relaxed the respondent”.

Introducing oneself only by name and company (not title like CFE or auditor) avoids intimidation and builds cooperation.

CFE interview guidance identifies verbal behaviors that often appear when an interviewee is being deceptive. A strong indicator is answering with a question rather than providing a direct denial. When asked directly about misconduct, truthful respondents commonly give a straightforward “no” and may add clarifying facts. Deceptive respondents sometimes deflect, buy time, or attempt to regain control by replying with a question such as, “Why would I do something like that?” This response avoids the substance of the allegation and shifts the burden back to the interviewer, potentially probing how much evidence the interviewer has. While Options A, B, and D are denials (and any denial could be untrue), the CFE materials specifically flag “answering with a question” as a frequent deceptive tactic because it functions as diversion and can indicate discomfort with issuing a clear denial. Therefore, among the choices presented, Option C is most consistent with a deceptive verbal response pattern described in CFE interview methodology.

Link analysis is described as a visual analytic tool that:

“Tracks the movement of money,”

“Demonstrates complex networks,”

“Helps identify indirect relationships with several degrees of separation,” and

“Discovers communications, patterns, and trends.”

It does not display financial ratios—that belongs to traditional financial statement/ratio analysis.

The Fraud Examiners Manual warns against phrasing admissions as direct questions using emotive terms:

“The admission-seeking interview begins with a direct accusation… The accusation should be phrased as though the accused’s guilt has already been established. Emotive words such as steal, fraud, and crime should be avoided… Wrong: ‘Did you do this?’”.

Thus, phrasing the question as “Did you steal the money?” is least effective.

Before conducting surveillance, a memorandum should document the basis for the covert operation, including: (1) the information the operation is based on, (2) expected information to be gained, (3) identities of suspects (subjects) if known, and (4) operatives under the examiner’s control. Confidential sources should not be identified by name but referred to symbolically.

The calibration (or norming) process in interviews is meant to establish a baseline of the subject’s normal verbal and nonverbal behavior. This is done by asking noncritical background questions so that later deviations can be more reliably identified.

From the CFE Prep guide:

“The proper way an interviewer should start the calibration (norming) of a witness is through the use of: Noncritical questions on background information. … Examples of noncritical questions include ‘When did you start with the company?’ and ‘How long is your commute?’”.

Thus, the correct answer is D. “How many jobs have you had before this one?” since it is a nonthreatening background question.

“Internal sources will sometimes be the only resource for certain types of documents—such as… employee personnel files—unless the fraud examiner has the subject’s consent or a legal order”.

External searches may reveal addresses, assets, or competitor ownership, but personnel files require internal/non-public access.

Phone records are classified as nonpublic records. The Fraud Examiners Manual explains that personal telephone and mobile records usually require consent, subpoena, or warrant to access. Public records, by contrast, include real property ownership and corporate filings. Therefore, B is correct.

Explanation with Extracts = The 2014 Fraud Examiners Manual states:

“The EU Data Protection Directive … regulates the processing, using, and transferring of personal data within the European Union, and it places limits on transmitting personal data to non-EU countries”.

Therefore, a U.S.-based examiner handling HR data of an EU employee must comply with EU GDPR requirements.

The CFE Prep – Investigations notes:

“Court records are best obtained from the jurisdiction in which they were filed… The most accurate records are maintained by the court of original jurisdiction, not global or aggregated databases.”

Thus, the best place for Sam is the local court of jurisdiction, not a global database.

Social media content is dynamic—posts can be edited, deleted, or moved—so fraud examiners must preserve relevant information promptly and in a manner that supports authenticity and admissibility. CFE investigative guidance emphasizes that documentary (including digital) evidence carries limited value in legal proceedings unless it can be shown to be authentic and in substantially the same condition as when collected. Simply saving a link (Option A) is weak because the underlying content can change, and a link does not preserve what was actually observed. Requesting a copy from the platform (Option B) is often impractical as a routine step and may require legal process; it also does not replace contemporaneous preservation by the examiner. A “forensic shutdown” (Option C) is not an appropriate method for preserving web-based social media content because the key evidence exists on external servers, not solely on the examiner’s machine. Proper practice is to download/capture and preserve what was observed while documenting the collection steps and maintaining a defensible chain of custody so authenticity can be established if needed in court.

The Fraud Examiners Manual notes that when witnesses become hostile or argumentative, the interviewer should generally remain calm and avoid reacting to hostility. Reacting, reasoning, or arguing often escalates the situation. Instead, the interviewer should maintain control and neutrality .

“Opinions or conclusions concerning the guilt or innocence of a fraud suspect is outside the scope of a fraud examination and should never be included in a report”.

Functions of a fraud examination report include presenting evidence, corroborating facts, and supporting credibility. Communicating the examiner’s qualifications to provide opinions is not a function.

Therefore, option D is not a function of a fraud examination report.

Admission-seeking interviews are designed:

“to obtain a legal admission of wrongdoing… also to distinguish innocent individuals from culpable ones and to secure a signed written statement”.

The primary purpose is obtaining a valid confession.

The Fraud Examiners Manual clarifies:

“The recommendations section is optional, and there might be instances where the fraud examiner wishes to discuss remedial measures or specific recommendations in a separate document”.

The Prep guide also states: “A written report might include a section for recommendations”.Thus, it is not required in every report.

Predictive analytics is defined as:

“the use of historical data combined with statistical, analytical, and machine learning techniques to create models that capture trends and produce forecasts”.

So, option C best describes predictive analytics.

“Electronic payment records can be valuable in tracing investigations… they can reveal, among other things, assets the subject has purchased”.

They can also reveal loans, real estate taxes, and business locations, but not directly whether Lottie is “skimming” funds.

Fraud examination reports are not written only for internal use. The 2014 International Fraud Examiners Manual clearly emphasizes:

“When drafting a report, fraud examiners must consider who might end up reading it. Fraud examiners should keep in mind that the fraud examination report will be read by the general public and adverse parties. Under no circumstances should the fraud examiner prepare a communication with the idea that the information will not be disclosed to adverse third parties. Fraud examiners should draft their reports with this caveat in mind.”

The manual further specifies the wide range of potential readers:

*“There are many individuals and groups that might end up reading a fraud examination report, including the following parties:

Company insiders (managers, board of directors, owners, investors, etc.)

Attorneys (legal counsel, prosecutors, regulators, and defense counsel)

Defendants and witnesses

Press and media outlets

Judges or juries”*

This aligns with the CFE Prep - Investigations study guide, which also confirms:

“There are many parties that might read a fraud examination report, including company insiders, attorneys, defendants and witnesses, press and media outlets, and judges or juries.”

📌 Interpretation:

The media may access the report through litigation disclosures or leaks.

Opposing legal counsel will review the report during discovery or trial.

Investors and owners (company insiders) are primary stakeholders.

Thus, the only correct choice is D. All of the above, because fraud examination reports must be written with all possible audiences in mind, ensuring accuracy, clarity, impartiality, and professionalism to withstand scrutiny from multiple directions.

The Fraud Examiners Manual notes:

“Fraud examiners are often tasked with tracing illicit transactions… For example, a victim of fraud might want a tracing search to facilitate the recovery of criminal proceeds”.

Digital forensics guidance stresses:

If the computer is off, do not turn it on, because booting will alter files and timestamps.

If the computer is on and volatile data is needed (e.g., RAM), a formally trained examiner may collect it live. Otherwise, simply unplugging the system (hard shutdown) preserves volatile evidence better than a graceful shutdown.

Thus, if the evidence exists only in volatile data and the system is running, Nobles may collect it via the normal interface.

✅ Answer: A. If Lucas's computer is running, Nobles may retrieve data… if the evidence exists only in volatile data

The Fraud Examiners Manual clearly states:

“Accessing information set to private could result in claims under privacy laws. Thus, information on social media sites that is restricted by privacy settings could result in liability for fraud examiners due to violation of users’ privacy rights.”

Therefore, D is correct

The Fraud Examiners Manual lists specific queries for accounts payable analysis, including:

“Review recurring monthly expenses and compare to posted/paid invoices.”.

While comparing book vs. tax depreciation applies to asset management (not A/P), and identifying paycheck anomalies applies to payroll (not A/P), the most effective A/P-specific test is the recurring expense comparison. Hence, C is correct.

During admission-seeking interviews, when suspects persist with denials or alibis, examiners are trained to diffuse them. Accepted techniques include:

Discussing testimony of witnesses,

Displaying physical evidence, and

Downplaying the strength of evidence.

However, manuals caution that discussing a suspect’s prior deceptions is not an effective or recommended method to diffuse alibis. It risks confrontation and may damage rapport, reducing chances of confession.

Therefore, option C is the exception.

 “Before commencing a formal investigation (and especially before starting the evidence collection process), it might be necessary to prepare the subject organisation… such as preparing the managers of the employees who will be involved in the investigation, notifying key decision makers, and notifying the organisation’s legal counsel”.

ï‚· It is not good practice to notify the entire workforce or inform the suspect.

“Due to the risks of illicit transactions, most jurisdictions require financial institutions to obtain information about the ownership and control of the foreign bank with which they maintain correspondent relationships”.

The 2014 International Fraud Examiners Manual provides examples of data analysis for accounts payable:

“Examples of data analysis queries that can be performed to help detect fraud through examination of accounts payable include:

• Audit paid invoices for manual comparison with actual invoices.

• Summarise large invoices by amount, vendor, etc.

• Identify debits to expense accounts outside of set default accounts.

• Reconcile cheque registers to disbursements by vendor invoice.”

While other functions apply to payroll or asset management, the most effective function for accounts payable fraud detection is to summarize large invoices by amount and vendor.

The Manual emphasizes that interviews should be held where the respondent feels comfortable and secure, not threatened:

“When possible, the interview should be held in a venue where the subject will feel comfortable and secure”.

Holding it in an uncomfortable setting is counterproductive and contrary to best practices.

The 2014 International Fraud Examiners Manual states:

“The information contained on a wire transfer generally will include the following items:

• The amount of the transfer

• The date of the transfer

• The name of the sender or originator

• The routing number of the originating bank or financial institution.”

Therefore, the correct answer is C.

Detailed Explanation with Extracts = The Fraud Examiners Manual states:

“When reporting the results of a fraud examination, it is best to include copies (not originals) of important documents in the formal report”.

Originals should be safeguarded separately for evidence; reports should use copies.

Therefore, the statement is true.

Textual analytics is used to extract investigative insight from unstructured data—communications and documents that are not stored in standard database fields—such as emails, chats, memos, and other narrative text. CFE investigative guidance explains that textual analysis applies linguistic methods and statistical techniques to identify themes, anomalies, and linkages within large volumes of text. Its purpose is not to determine truthfulness or deception with certainty (Option A), because text analytics cannot reliably “detect lies” in a definitive way. Nor is its primary objective to guarantee discovery of a confession (Option B); admissions can appear, but that is not the defining function of the approach. Option C aligns more with flow-of-funds visualization or link/relationship charting for financial movements rather than analyzing language content. Instead, textual analysis is performed to categorize and structure text so patterns, sentiments, recurring topics, and relationships between people and events become visible—helping examiners prioritize leads, identify risk indicators, and focus investigative testing on communications most indicative of potential fraud.

The manual explains:

“After the interviewer establishes rapport through normal conversation, he must observe the respondent’s reactions. This will serve as a baseline for observing behaviour when questions that are more sensitive are asked.”

A neutral, non-threatening question such as “How long have you been in this department?” is ideal for establishing a baseline.

When preparing to interview subjects across jurisdictions, fraud examiners must consider both legal rights and cultural differences. The Manual advises examiners to:

Research local laws governing the right to counsel during interviews.

Understand cultural norms (e.g., greetings, eye contact).Failing to observe these can damage credibility. Thus, it is most accurate that an examiner must determine whether the subject can legally insist on a lawyer’s presence .

The 2014 International Fraud Examiners Manual provides:

“Fraud examiners can use a correlation analysis to determine the relationships between different variables in raw data… For example, there should be a strong correlation between the independent and dependent variables because there is a direct relationship between them. Hotel costs should increase as the number of days travelled increases.”

CFE Prep – Investigations echoes this:

“Using the correlation analysis function, fraud examiners can determine the relationships between different variables in the raw data. For example… Hotel costs should increase as the number of days travelled increases.”

Thus, the most useful analysis is Correlation analysis.

Explanation with Extracts = The Fraud Examiners Manual explains:

“Forensic analysis should not be performed on suspect devices directly because doing so can alter or damage digital evidence, and imaging the data… allows a fraud examiner to view and analyse the contents of a computer without altering the original data in any way”.

Imaging creates an exact, sector-by-sector copy of the drive.

Thus, imaging protects original data integrity.

“Introductory questions should be designed to establish rapport… the interviewer must establish some common ground with the respondent before he begins the fact-gathering portion of the interview. Interviewers usually establish rapport by spending a few minutes with the respondent in an informal dialogue”.

Thus, Vishal’s small talk about ties and sports is rapport-building.

The 2014 Fraud Examiners Manual and CFE Prep explain:

“Closing questions seek to close the interview positively. In routine interviews, closing questions serve the following purposes: reconfirm facts, gather additional facts, and conclude the interview in a manner required to maintain goodwill.”

Thus, the correct answer is A.

When dealing with potentially hostile or volatile interviewees, fraud examiners are advised not to give much advance notice. This reduces the chance that the subject will prepare evasive or combative responses. The Fraud Examiners Manual emphasizes minimizing preparation time for resistant interviewees to ensure more candid responses.

During admission-seeking interviews, fraud examiners often employ rationalization techniques to help the suspect justify their misconduct and make it easier to confess. One of these rationalizations is the altruistic appeal.

From the 2014 International Fraud Examiners Manual:

“Facilitators of communication are those socio-psychological forces that make conversations, including interviews, easier to accomplish. These facilitators require a basic understanding of what motivates people. The facilitators are: fulfilling expectations, recognition, altruistic appeals, sympathetic understanding, new experience, catharsis, need for meaning, and extrinsic rewards.”

From the CFE Prep - Investigations study guide:

“Facilitators of communication… include fulfilling expectations, recognition, altruistic appeals, sympathetic understanding, new experience, catharsis, need for meaning, and extrinsic rewards.”

📌 Application to Scenario:

Beta says: “I know you didn’t do this for yourself; it was for your family.”

This is a classic altruistic appeal — reframing the suspect’s motive as selfless or for the benefit of others, rather than selfish wrongdoing.

The purpose is to reduce internal resistance to confessing by allowing the suspect to rationalize the act as being for a noble reason.

The manual explains:

“Link analysis is very effective for identifying indirect relationships… and is particularly useful when conducting a money laundering investigation because it can track the placement, layering, and integration of money” .

Therefore, statement A is false, making it the correct choice.

When the objective is asset recovery through civil legal action, the practical value of litigation depends heavily on collectability—whether a favorable judgment can be satisfied. CFE guidance on tracing and asset recovery highlights that tracing engagements are commonly undertaken specifically to determine whether a potential defendant can pay a court-ordered sum if judgment is entered, and to locate assets that can be used to satisfy a judgment. If the defendant is judgment-proof or has insufficient reachable assets, the legal action might be economically irrational even if liability is strong. While statute of limitations (D) is legally important, the question asks what is most important before moving forward with a recovery action; from an investigative and recovery perspective, the threshold question is whether there are assets to recover or a realistic path to enforcement. Past arrests (B) do not answer the recovery feasibility question. Option C misframes the decision: legal actions proceed based on evidence and counsel’s assessment, but recoverability often drives whether to invest in litigation. Therefore, assessing whether the defendant has sufficient money or property to satisfy a judgment is the most important preliminary question.

The Manual and Prep Guide state:

“Before conducting a covert operation, it is essential that the basis for the operation be committed to writing, preferably in a memo. The memorandum should clearly state: the information upon which the covert operation will be based; the information that is expected to be gained from the operation; the identities of suspects, if known; operatives under the fraud examiner’s care, custody, or control. Confidential sources’ identities should not be disclosed.”

Thus, expected information belongs, but confidential source identities must not

“When searching for an individual, the fraud examiner should obtain a past address of the subject, and search activities should begin with that information”.

Therefore, saying a past address is “of no help” is incorrect.

CFE Prep clarifies entrapment:

“Entrapment occurs when law enforcement induces a person to commit a crime that he is not predisposed to commit… It is imperative that adequate predication exists before the operation is commenced. For example, if the officer received a reliable tip, that could serve as adequate predication.”

Here, the officer acted on a reliable tip, so the entrapment claim would fail.

The Fraud Examiners Manual states:

“The expenditures method works best when the subject spends illicit income on consumables (e.g., travel and entertainment), because when the subject spends the illicit income, it will not cause an increase in net worth.”

CFE Prep confirms:

“The expenditures method … is best used when the subject spends illicit income on consumables (such as travel and entertainment) that would not cause an increase in net worth.”

Thus, the correct answer is A.

The CFE Prep – Investigations states:

“If a fraud examiner gets a verbal confession from the fraudster, it does not matter whether the fraudster claims his conduct was an accident. The following items of information should be obtained … admission that the accused knew the conduct was wrong, facts known only to the confessor, the accused’s motive, approximate dates, involvement of others, physical evidence, and disposition of illicit income.”

Thus, the examiner does not need a statement about accident.

CFE methodology stresses that fraud examinations should be conducted with the assumption that the matter could end in litigation, which directly affects evidence-handling decisions. If litigation is reasonably anticipated, organizations often must preserve potentially relevant records through measures such as litigation holds and suspension of normal record-retention/destruction practices. Disposing of evidence while litigation is likely (or while a duty to preserve could exist) can create serious consequences, including sanctions, adverse inferences, monetary penalties, and other legal repercussions for spoliation or failure to preserve evidence. Because the central risk is future legal proceedings—civil, criminal, regulatory, or employment-related—the most important consideration when deciding whether evidence can be disposed of is whether additional litigation is likely or could reasonably arise. The physical form of evidence (A) affects preservation techniques, but it is not the key decision driver for disposal. Reporting summaries (C) do not replace original evidence. Whether evidence is direct or circumstantial (D) is not the deciding factor; both can be critical depending on the case. Thus, likelihood of future litigation is the most important factor.

The Fraud Examiners Manual advises that fraud examiners should preserve and organize evidence, and one of the key steps is to establish a document database early. This allows examiners to track documents, index them, and link them to findings. Dusting for fingerprints, leaving originals behind, or organizing solely in chronological order are not standard best practices .

Explanation with Extracts: In interviews, deceptive subjects often stall to gain time to construct plausible responses. The CFE Prep - Investigations notes that deceptive interviewees may ask for questions to be repeated or otherwise delay in order to think of what to say.